Lessons of the Past: U.S. Federal Privacy and Security Legislation Should Improve the GDPR

December 22, 2021 In Blog, Government, Privacy, Technology By Vertis McMillan

The United States’ data privacy and security laws are a patchworked system of varying industry and state requirements.^[1] These differing regulations are burdensome for companies to follow and do not adequately protect U.S. citizens.^[2] This discrepancy has led many to advocate for federal privacy legislation in the U.S. similar to the General Data Protection Regulation^[3] (“GDPR”).^[4] Doing so could give consumers a clear understanding of their rights, help businesses grasp their specific obligations for achieving compliance, and provide a sufficient method to hold violators accountable.^[5] While implementing a comprehensive federal regulation like the GDPR may resolve some of the U.S.’s regulatory woes in this space^[6], there is a tremendous opportunity to learn from its virtues and shortcomings.^[7]

Recent events indicate that the appetite for federal data privacy and cyber security legislation is at an all-time high.^[8] This momentum has culminated into multiple bills that attempt to offer a comprehensive solution to privacy and security.^[9] Most of these bills provide some overlap with provisions in the GDPR.^[10] However, two issues split both parties: (1) an individual right of action and (2) whether the legislation would preempt state laws.^[11] Republicans generally favor preempting state laws and opposing a federal private right of action to reduce complications for businesses and to focus on nefarious actors.^[12] On the other hand, Democrats support including a private right of action to empower consumers and oppose preemption to allow states to impose stricter privacy rights.^[13]

(1) Preemption of State Laws

Preempting state laws would make federal law the exclusive remedy for consumers whose information is mishandled.^[14] Preempting allows consistent regulation and enforcement and lowers the cost of compliance for businesses.^[15] Democrats argue that if state laws are not preempted, consumers will have more choice to sue under federal or state laws, and states would remain free to enact more protective privacy legislation to better protect citizens.^[16] Democrats also argue that preemption could potentially lead to weaker protections overall.^[17]

While the GDPR aimed to harmonize the rules of its member states, fragmentation remains.^[18] There are various interpretations of its rules by the supervisory authorities, and member states have the ability to provide more specific provisions in certain instances.^[19] Years after its implementation, industry and consumer groups have criticized its failure to fulfill its purpose to be a “one-stop-shop” for data regulation.^[20] In light of these repercussions, the U.S. should preempt state laws. Additionally, some bills propose rulemaking authority for the Federal Trade Commission or a specialized agency.^[21] These agencies are more likely to have better resources than what is available in each state.

(2) Private Right of Action

A private right of action would permit individuals to enforce federal privacy protections without any showing of harm.^[22] An individual rights provision provides a means of recovery for individuals and increases enforcement by shifting costs away from under-resourced agencies.^[23] This type of rule would also mitigate the industry’s influence on the regulatory agency.^[24] However, there are potential downsides to this type of private litigation,^[25] the more concerning of which is that it leads to “over-enforcement” or “ruinous liability.”^[26] Additionally, the supreme court’s ruling in Spokeo v. Robins^[27] created obstacles in establishing standing.^[28] The Supreme Court’s ruling has led to other courts to question legislative determinations constituting privacy harms, making it difficult for individuals to demonstrate “injury in fact.”^[29]

Under the GDPR, a plaintiff does not need to meet a “de minimis” threshold to be entitled to damages.^[30] However, companies are concerned with how this dramatically increases their risk exposure and whether judges will continue to recognize the wide range of damages that can be claimed under this rule.^[31] The solution is not a black and white approach to providing a private right of action, but it also does not need to be as broad as the GDPR. Creating narrower circumstances that allow individual rights of action when the injury is sufficient to establish standing for courts and to avoid frivolous lawsuits should address the concerns of both parties.^[32]

Passing a comprehensive federal data privacy and security bill is essential to protect U.S. citizens and stay on track with the rest of the world. Regulators may be close to doing so soon. However, to resolve the differences between party lines, they should create a better standard by learning from the examples set by the GDPR.

Footnotes[+]

Footnotes
1	Andrew B. Serwin, Info. Security & Privacy: A Guide to Federal and State Law and Compliance, § 1:1, at 1 (2020).
2	See Nuala O’Connor, Reforming the U.S. Approach to Data Protection and Privacy, Couns. on Foreign Rel. (Jan. 20, 2018), https://www.cfr.org/report/reforming-us-approach-data-protection [https://perma.cc/3SWV-3H8A].
3	Regulation (EU) 2016/679, 2016 O.J. L 119/1, available at https://gdpr-info.eu/.
4	Advocacy Groups Release Principles for Federal US Privacy Law, IAPP (Nov. 13, 2019), https://iapp.org/news/a/advocacy-groups-release-principles-for-federal-u-s-privacy-law/ [https://perma.cc/52HZ-XG6C].
5	Karen Schuler, Federal Data Privacy Regulation is on the Way — That’s a Good Thing, IAPP (Jan. 22, 2021), https://iapp.org/news/a/federal-data-privacy-regulation-is-on-the-way-thats-a-good-thing/ [https://perma.cc/ULG2-3KHR].
6	James Fukazawa, The Case for a Comprehensive U.S. Privacy and Data Protection Law, Denv. J. of Int’l L. & Pol’y (Nov. 12, 2021), http://djilp.org/the-case-for-a-comprehensive-u-s-privacy-and-data-protection-law/ [https://perma.cc/ZT6J-7CF9].
7	Roslyn Layton, Statement before the Senate Judiciary Committee On the General Data Protection Regulation and California Consumer Privacy Act: Opt- ins, Consumer Control, and the Impact on Competition and Innovation: The 10 Problems of the GDPR: The US Can Learn From the EU’s Mistakes and Leapfrog its Policy, Am. Enter. Inst., (Mar. 12, 2019), https://www.judiciary.senate.gov/imo/media/doc/Layton%20Testimony1.pdf [https://perma.cc/R9UP-7ZFL].
8	See Lana Milojevic & Brian M. Wheeler, Privacy and Data Security National Update: Increasing Federal Involvement in Data Security and Enforcement, Lexology (Nov. 5, 2021), https://www.lexology.com/library/detail.aspx?g=32e0f382-05b7-4ab8-bac9-ab873b090ab7 [https://perma.cc/CME3-2U5B]
9	Müge Fazlioglu, Privacy Bills in the 117th Congress, IAPP (Aug. 24, 2021), https://iapp.org/news/a/privacy-bills-in-the-117th-congress/ [https://perma.cc/DMG6-6B2L].
10	Jordan Kovnot & Chase Wright, Pressure Mounts on the U.S. to Pass a Competing Federal Law in 2021, JD Supra(Sept. 10, 2021), https://www.jdsupra.com/legalnews/as-states-and-nations-continue-to-enact-3228942/ [https://perma.cc/7U9F-TLVX].
11	Andrew M. Willinger & Peter A. Nelson, Recent Developments in the State Data-Privacy Landscape: Is Federal Involvement the Best Way Forward?, Patterson Belknap Webb & Tyler: Data Security L. Blog (Apr. 16, 2021), https://www.pbwt.com/data-security-law-blog/recent-developments-in-the-state-data-privacy-landscape-is-federal-involvement-the-best-way-forward [https://perma.cc/HH42-8ZPR].
12	Id.
13	Id.
14	Id.
15	See Peter Swire, US Federal Privacy Preemption Part 1: History of Federal Preemption of Stricter State Laws, IAPP (Jan. 9, 2019), https://iapp.org/news/a/us-federal-privacy-preemption-part-1-history-of-federal-preemption-of-stricter-state-laws/ [https://perma.cc/42SE-N8VZ].
16	Willinger & Nelson, supra note 11.
17	Allen St. John, Consumer Online Privacy Rights Act Could Safeguard Data, Consumer Rep. (Nov. 26, 2019), https://www.consumerreports.org/privacy/consumer-online-privacy-rights-act-could-safeguard-data-but-tough-fight-lies-ahead-a2133321838/ [https://perma.cc/S8VH-9UUK].
18	Alberto D. Felice & Martin Bell, Two Years of GDPR: A Report From The Digital Industry, Digit. Eur. (Jun. 10, 2020), https://www.digitaleurope.org/resources/two-years-of-gdpr-a-report-from-the-digital-industry/ [https://perma.cc/3BAA-K6R4].
19	Id.; see also Neil Hodge, Three years of GDPR: Many milestones, but Calls for Change Increase, Compliance Wk. (May 25, 2021), https://www.complianceweek.com/data-privacy/three-years-of-gdpr-many-milestones-but-calls-for-change-increase/30426.article [https://perma.cc/S7JK-54DB].
20	Felice & Bell, supra note 18.
21	Chris Brook, Data Protection Act of 2021Would Create US Data Protection Agency, Digit. Guardian: Data Insider Blog (June 28, 2021), https://digitalguardian.com/blog/data-protection-act-2021-would-create-us-data-protection-agency [https://perma.cc/5E3Q-RGS9]; Sonia S. Siddiqui, USA: What the SAFE DATA Act Could Mean for Companies, Data Guidance (Sept. 2020), https://www.dataguidance.com/opinion/usa-what-safe-data-act-could-mean-companies [https://perma.cc/MZV6-CKWA].
22	Joseph Jerome, Private Right of Action Shouldn’t be a Yes-No Proposition in Federal US Privacy Legislation, IAPP (Oct. 3 2019), https://iapp.org/news/a/private-right-of-action-shouldnt-be-a-yes-no-proposition-in-federal-privacy-legislation/ [https://perma.cc/QYH5-2TK7].
23	Id.
24	Id.
25	Stephen B. Burbank et al., Private Enforcement, 17 Lewis & Clark L. Rev. 637, 667–71 (2013).
26	Jerome, supra note 22.
27	578 U.S. 330 (2016).
28	Jerome, supra note 22.
29	Id.
30	Detlev Gabel et al., Compensating Non-material Damages Based on Article 82 GDPR – Is There a De Minimis Threshold?, White & Case (Mar. 2, 2021), https://www.whitecase.com/publications/alert/compensating-non-material-damages-based-article-82-gdpr-there-de-minimis [https://perma.cc/9WDK-3L4N].
31	Id.
32	See Jerome, supra note 22.

Vertis McMillan

Vertis McMillan is a second-year J.D. candidate at the Fordham University School of Law and a staff member of the intellectual Property, Media & Entertainment Law Journal. He holds a B.S. in Finance from the University at Albany (SUNY).

Lessons of the Past: U.S. Federal Privacy and Security Legislation Should Improve the GDPR

Lessons of the Past: U.S. Federal Privacy and Security Legislation Should Improve the GDPR

Share this:

Related

Vertis McMillan